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Abstract 

We prove the security of quantum key distribution against the most general attacks which can 
be performed on the channel, by an eavesdropper who has unlimited computation abilities, and the 
full power allowed by the rules of classical and quantum physics. A key created that way can then 
be used to transmit secure messages in a way that their security is also unaffected in the future. 



1 Introduction 

Quantum key distribution Q uses the power of quantum mechanics to suggest the distribution of a 
key that is secure against an adversary with unlimited computation power. Such a task is beyond 
the ability of classical information processing. The extra power gained by the use of quantum bits 
(quantum two-level systems) is due to the fact that the state of such a system cannot be cloned. On 
the other hand, the security of conventional key distribution is based on the (unproven) existence of 
various one-way functions, and mainly on the difficulty of factoring large numbers, a problem which is 
assumed to be difficult for a classical computer, and is proven to be easy for a hypothetical quantum 
computer Q. 

Various proofs of security were previously obtained against collective attacks ^, H, and we 
continue this line of research here to prove the ultimate security of quantum key distribution (QKD), 
against any attack (under the conventional assumptions of QKD, as explained below). Note that the 
eavesdropper is assumed to have unlimited technology (e.g., a quantum memory, a quantum computer), 
while the legitimate users use practical tools (or more precisely, simplifications of practical tools). 

To prove security against such a super-strong eavesdropper we develop some important technical 
tools and we reached some surprising results: we show new information versus disturbance results, 
where the power of quantum information theory is manifested in an intuitive and clear way. We show 
explicitly how the randomness of the bases, and the randomness of the choice of test-bits provides 
the desired security of QKD. We adopt and generalize sophisticated tools invented in |J: a purifi- 
cation which simplifies Eve's states; a bound on accessible information (using Trace-Norm-Difference 
of density matrices) which avoids any complicated optimization of Eve's possible measurements; a 
connection between Eve's accessible information and the error-rate she induces. We add some more 
simplifications (which were not required in the analysis of collective attacks in ||]): a reduction to a 
scheme in which all qubits are used by Alice and Bob, and a usage of the symmetries of the problem 
under investigation. 

Other security results/claims [0, ^ [l4| were recently given (see a few more details in Appendix 0). 
The security result of Lo and Chau |l4j uses novel techniques and is very important, but it is somewhat 
limited. The QKD protocol which is analyzed in [14| requires that the legitimate users have quantum 



memories and quantum computers, technologies which are far from being available to the legitimate 



'Computer Science Department, Technion, Haifa 32000, Israel 
^DIRO, Universite de Montreal, Montreal, Canada 

*Dept. of Electrical Engineering, UCLA, Los Angeles, CA 90095-1594, USA 



users. The security result of Mayers |7|, ||] is equivalent to ours in the sense that it proves the security 
of a realistic protocol, against an unrestricted eavesdropper, and provides explicit bounds on the 
eavesdropper's information. There is no doubt that Mayers was the first to understand many of the 
difficulties and subtle points related to the security issues. The main problem with the proof of Mayers 
is its complexity, and strict formality. As a result, there was no consensus regarding its correctness and 
completeness. Recently, Mayers' proof was confirmed by a few researchers (e.g.[|l5|]) and we believe 
that a consensus will soon be reached. 

We follow the standard assumptions of QKD: 1) Alice and Bob share an unjammable classical 
channel. This assumption is usually replaced by the demand that Alice and Bob share a short secret 
key to be used for authenticating a standard classical channel (hence the protocol is then a quantum 
key expansion protocol). 2) Eve cannot attack Alice's and Bob's labs. She can only attack the quantum 
channel and listen to all transmissions on the classical channel. 3) Alice sends quantum bits (two level 
systems). 

We prove the security of the Bennett-Brassard-84 (BB84) protocol M , against any attack allowed 
by the rules of quantum physics. We prove the asymptotic security even for instances in which the 
error rate in the transmission from Alice to Bob is up to 7.56%; this allowed error-rate can be increased 
much further by choosing fixed codes and obtaining practical (rather than asymptotic) security result. 

1.1 The BB84 Protocol and the used-bits-BB84 protocol 

Alice and Bob use four possible quantum states in two bases (using "spin" notations, and connecting 
them to "computation basis" notations): (i) \0 Z ) = |0); (ii) \l z ) = |1); (iii) lO^) = "^(|0) + |1)); 

and (iv) \l x ) = ^(|0) — |1)). We shall refer to these states as the BB84 states. 

We prove in this paper the security of a simplified protocol in which only the relevant bits are dis- 
cussed (we call it the "used-bits-BB84"). The proof of the original BB84 protocol follows immediately, 
due to a simple reduction, as we show in Appendix |B|. 

Let us describe the used-bits protocol in detail, splitting it into creating the sifted key and creating 
the final key from the sifted key. This simplified protocol assumes that Bob has a quantum memory. 

I. Creating the sifted key: 

1. Alice and Bob choose a large integer ii>1, The protocol uses 2n bits. 

2. Alice randomly selects two 2n-bit strings, b and i which are then used to create qubits: The 
string b determines the basis = z, and 1 = x of the qubits. The string i determines the value 
(0 or 1) of each of the 2n qubits (in the appropriate bases). 

Alice generates 2n qubits according to her selection, and sends them to Bob via a quantum 
communication channel. 

3. Bob tells Alice when he receives the qubits. 

4. Alice publishes the bases she used, b; this step should be performed only after Bob received all 
the qubits. 

Bob measures the qubits in Alice's bases to obtain a 2n-bit string j. 

We shall refer to the resulting 2n-bit string as the sifted key, and it would have been the same 
for Alice and Bob, i = j, if natural errors and eavesdropping did not exist. 

II. Creating the final key from the sifted key: 

1. Alice chooses at random a 2n-bit string s which has exactly n ones. There are ( 2 ™) such strings 
to choose from. 



2. From the 2n bits, Alice selects a subset of n bits, determined by the zeros in s, to be the test 
bits. Alice publishes the values of these test bits (given by a string it)- The values of Bob's bits 
on the test bits are given by jx- 

The other n bits are the information bits (given by a string ij). They are used for deriving a 
final key via error correction codes (ECC) and privacy amplification (PA) techniques. 

[Alice shall send the ECC and PA information to Bob, hence Bob needs correct his errors and 
use PA to obtain a key equal to Alice's]. 

3. Bob verifies that the error rate pt es t = \ir © jr\/n in the test bits is lower than some agreed 
error-rate p a iiowed-, and aborts the protocol if the error rate is larger. 

4. Bob also publishes the values of his test bits (jr)- This is not crucial for the protocol, but it is 
done to simplify the proof. 

5. Alice selects a linear ECC with 2 k code words of n bits, and a minimal Hamming distance d 
between any two words: an (n, k, d) code, and publishes it along with the ECC parities on the 
information bits; The strategy is that Alice announces the parity check matrix of an ECC, i.e., 
r = n — k parity check strings of n bits: v s , s = 1, . . . , r. She then announces r bits which are the 
parities of her string ij with respect to the parity check matrix, which is v s -ij for all s. Bob doesn't 
announce anything. The condition on the ECC is that it corrects t > {p a iiowed + e rei) n errors, 
for some positive e re /. An ECC corrects t errors if d > 2t + 1, and thus d > 2(p a u owe( i + e re i)n + 1 
must be chosen. 

6. Bob performs the correction on the information bits. 

7. Alice selects a privacy amplification function (PA) and publishes it. The PA strategy is to 
publish m n-bit strings and use the parities of the bits masked by these strings as the secret 
key. That is she announces privacy-amplification-strings v s , where s = r + 1, . . . ,r + m, ofn bits 
each. The final secret key bits are v s ■ i. This strategy is similar to error correction except that 
the parities are kept secret. 

The PA strings must be chosen such that the minimal distance v, between any string in their 
span and any string in the span of their union with the ECC parity-check-strings, is at least 
v > 2(p a ii owe( i + e sec ) n. Note that, by definition, the minimal distance of the space spanned 
by the ECC and PA strings, d\ is less than the above distance, hence if we demand d) > 
2{paiiowed + ^sec) n, the above criterion is automatically satisfied. 

8. Bob performs the PA on the corrected information bits. The result obtained is the final key. 



1.2 Eavesdropping 

Eve attacks the qubits in two steps. First she lets all qubits pass through a device that tries to 
probe their state. Then, after receiving all the classical data, she measures the probe. She can gain 
nothing by measuring the probe earlier, since such a measurement is a special case of applying a 
unitary operation (it is the application of a measurement gate). Thus we can split Eve's attack into 
her transformation and her measurement. 

Eve's transformation: The qubits can be attacked by Eve while they are in the channel between 
Alice and Bob. Eve can perform any attack allowed by the laws of physics, the most general one 
being any unitary transformation on Alice's qubits and Eve's probe. We are generous to Eve, 
allowing her to attack all the bits together (in practice, she usually needs to send the preceding 
qubit towards Bob before she has access to the next one). 

Without loss of generality we assume that all the noise on the qubits, is caused by Eve, and can 
be used by her in any way she likes. 



Eve's measurement: Eve keeps the probe in a quantum memory. After Eve receives all the 
classical information from Alice and Bob, including the bases of all bits, the choice of test bits, 
the test bits values, the ECC, the ECC parities, and the PA, she tries to guess the final key 
using her best strategy of measurement. 

Eve's goal is to learn as much information as possible on the final key without causing Alice and Bob 
to abort the protocol due to a failure of the test. The task of finding Eve's optimal operation in these 
two steps is very difficult. Luckily, to prove security that task need not be solved, and it is enough to 
find bounds on Eve's optimal information (via any operation she could have done). 

1.3 Security and Reliability 

The issue of the security criterion is non-trivial since the obvious security criterion (that Eve's infor- 
mation given that the test passed, is small) does not work. 

To be more precise, let A be a random variable presenting Alice's final key, B be a random variable 
presenting Bob's final key, and £ a random variable representing a string in Eve's hands as result of 
her measurements. Let T be a random variable presenting if the test passed or failed. What one 
would like to obtain as a security criterion is I(A; £ \ T = pass) < Anfo e~^ inf ° n with A and f3 (with 
any subscript) positive constants. 

Unfortunately ||, the above bound is not satisfied in quantum cryptography. Given that the test 
is passed, Eve can still have full information. Consider the swap attack: Eve takes Alice's qubits 
and puts them into a quantum memory. She sends random BB84 states to Bob. Eve measures the 
qubits she kept after learning their bases, hence gets full information on Alice's final key. In this case, 
Bob will almost always abort the protocol because it is very unlikely that his bits will pass the test. 
However, even in the rare event when the test is passed, Eve still has full information on Alice's key. 
So, given the test is passed (a rare event), information is still m bits, and the above criterion cannot 
be satisfied. 

In order to prove security we show that the event where the test is passed and Eve obtains 
meaningful information on the key is extremely unlikely. This means, that if Eve tries an attack that 
gives her non-negligible information on a final key she has to be extremely lucky in order to pass the 
test. Formally, the security criterion is: 

Prob(Test Passes and I Eve > A in{o e _ftnf ° n ) < A luck e ~^ kn . (1) 

Where I E ve = I (A; £\ir, ct, b, s) is the information Eve has on the key, after the particular protocol 
values (it, jr, b, s) are announced by Alice and Bob, and the probability is calculated over the cases 
such that ct = ir © 3t satisfies \ct\ < nPallmved- Note that Alice and Bob can increase the number of 
bits n as they like to increase security. 

We show that the final m-bit key is reliable: the keys distilled by Alice and Bob are identical 
except for some exponentially small probability A rc \ e~@ icin . 

1.4 Structure of the Paper 

The rest of the paper contains three main steps: In Section |2| we reduce the problem to a simpler prob- 
lem of optimizing over all attacks symmetric to the bit values and 1. In Section || we analyze the 
information bits in the bases actually used by Alice and Bob, and we prove our main information versus 
disturbance theorem: the eavesdropper information on the final key is bounded by the following prob- 
ability: the probability of error if the other bases were used by Alice and Bob (this probability is well 
defined). We then obtain in Section |I] a bound on J2i T ,c T ,b,s -P(^~ = pass, it, ct, b, s) I(A;£\it, ct, b, s), 
and prove that this bound is exponentially small with n (so that the security criterion is satisfied). 
Various theorems are proven in the appendices. 



2 Eve's Attack 



In the protocol Alice sends a string i encoded in the bases of her choice b, and Bob measures a 
string j using the same set of bases. Eve prepares a probe in a known state, say |0). Eve applies a 
unitary transformation U on all the qubits and her probe and then she sends the disturbed qubits to 
Bob, while leaving her probe in her hands. The unitary transformation U is written in the basis 6, 
= J2j with \E[j) the unnormalized states of Eve's probes if Alice sent \i), and Bob 

received \j). 

Recall that the choice of 0/1 is random. As a result, any attack chosen by Eve can be replaced by 
an equivalent attack which is as good, with i replaced by i © k and with j replaced by j © k. Thus, 
any attack chosen by Eve can also be replaced by an equivalent symmetric attack which is as good 
(as described below). The symmetrization does not change the induced error-rate as we show below. 
It can improve Eve's final information on the common secret key, and thus, if the optimal attack is 
asymmetric, there is also an equivalent symmetric attack which is optimal. Thus, the optimal attack 
can be assumed to be symmetric (WLG), and we therefore need to bound Eve's information only for 
attacks symmetric to 0/1. 

The symmetrization is performed using bit-wise operations: Given any transformation of Eve, Eve 
symmetrizes it as follows: For each qubit \qi), she creates a qubit \w{) = H\0) = -^(\0 Z ) + |1 2 )), and 
performs a pseudo-controlled-NOT transform on the result of this bit and \qj): if \wj) = 0: leave \qj) 
as is. Otherwise negate it (i.e., rotate by 180 degrees). After the application of U, she performs the 
inverse of this pseudo-controlled-NOT transform. The gate needs to negate the bit in both x and z 
bases. In fact, Control- {(J x a z ) on this ancillary qubit and the data qubit performs this transformation. 
The 0/1 symmetrization ensures that the errors are independent of the values or 1 that Alice sends 
(in either basis). The overall attack on all qubits is then described by U sym (\0)\i)) = J2j \Ei S j m )\j) 
with E' sym which can be written using E' as follows: 

\E'T) = E(- 1 ) (iej) - m ^)I^W,e m ) • (2) 
"V z m 

To prove that the 0/1 symmetrization does not change the average error-rate is obvious since Eve 
can always project onto one particular m (and destroy the symmetry) by measuring |m), and any 
such projection leads to the same attack (up to a shift of i and j by m). It is also obvious that 
the symmetric attack cannot be worse (for Eve) in terms of Eve's information (for the same reason). 
Clearly, it can only increase Eve's information since she does not have to measure m but can also do 
other things. 

Later on Eve obtains all classical information sent by Alice and Bob. Eve learns b (the bases) and 
s (which bits are the test bits and which are the information bits). She also learns the values of the 
test bits it and jt- We also use ii and ji to denote the values of the information bits. Once the 
additional data regarding the bases and the values of the test bits is given to Eve, this data modifies 
her probes' states. We define \ij)i t ) to be the state of Eve+Bob if Alice chose a bases b, an order s, and 
values %t%Ii Eve's attack is U sym , and Bob received jx in his measurement on the test bits. Formally, 

|^) = 1 , \(jT\}U S y m [(\0)) Eve (\i T )\il))Alice} (3) 

V P iJT\iT^I,b,s) 

We define \Eij jj), Eve's states for a given classical data regarding (i?, jr, s,b), by writing = 
Y^jj l-^ijjj'j) |jx}- If Eij is obtained from an attack E'^ and for that attack, E s ^ m is obtained from the 
symmetric attack E^ m ', then Eij also satisfies Eq. |2| with E replacing E' . See a proof in Appendix [C]. 



3 Information Versus Disturbance 



In this section we analyze the information bits alone (for a given symmetric attack JJ syrn , a given input 
ix and outcome jt on the test bits, and given bases b and choice of test bits s). Our result here applies 
for any JJ sym , hence in particular for the optimal one. The optimization over Eve's measurement is 
avoided by using the fact that trace-norm of the difference of two density matrices provides an upper 
bound on the accessible information one could obtain when having the two density matrices as the 
possible inputs. 

3.1 Eve's State 

When Alice sends a state \ii) for the information bits (written in the basis actually used by her and 
Bob for these bits), the state of Eve and Bob together, \tpi x ) = J2jj \ E ii,ji)\jl) is f un Y determined by 
Eve's attack and by the data regarding the test bits. Eve's state in that case is fully determined by 
tracing-out Bob's subsystem \jj) from the Eve-Bob state, and it is 

P %1 = \ E ii,3l)( E ii,3l\ i 
ji 

calculated given and jt- This state in Eve's hands is a mixed state. 

3.2 Purification and a related Orthogonal Basis 

We can "purify" the state while giving more information to Eve by assuming she keeps the state 

ji 

where we introduce another subsystem for the purification. 

This state is at least as informative to Eve as p %1 is. This is because the density matrix is exactly 
the same if Eve ignores the i ® j register of (f>. Thus, any information Eve can obtain from her mixed 
state is bounded by the information she could get if the purified state was available to her. 

Since we deal here only with the information bits, we can drop the subscript / when there is no 
risk of confusion, and we write: p l = J2j \ E i,j)( E i,j\i an d \(j>%) = J2j \ E i,j)\i © j)- We shall retain the 
index when we consider both Information and Test bits. 

We define an orthogonal basis \r/), and show that it is possible to compute a bound on Eve's 
information on the information bits, once the purified states are written in this basis. 

Definition 3.1 

Z I 

Using the above definitions and (l/2 n ) 1)(*®-"'* = Eve's purified state can be rewritten as: 

l^> = E(- 1 ) w i'»> ( 4 ) 
i 

Lemma 3.1 r/j's form an orthogonal basis, i.e., {rjk\rji) = for k^l. 

Proof: See Appendix [D|. It should be noted the above lemma is the only place where 0/1 
symmetry is explicitly made use of. 



3.3 Eve's State and Probability of Errors Induced on Information Bits 



In this subsection we first show that the probability of any error string Eve would have induced if the 
conjugate basis was used for the information bits, is a simple function of dj's (of Definition [3.1| ), 

For any attack P(ji = %i®ci \ ii,iT,jT, b, s) = (£'j 7) j 7 C/ |£'j 7j j / C/ ), and thus, the error distribution 
in the information bits is 

P(ci | i T ,jT,b,s) = 2^X)-P(U/> = \k®ci) given ij,i T ,j T ,b,s) = — ^(E iuil(Bci \E iljiieci ). 

il i 

the average probability of an error syndrome c for the information bits (when the test bits, basis and 
sequence are given). 

Due to the linearity of quantum mechanics, given Eve's attack in one basis we can write Eve's 
attack in any other basis, and in particular, in a basis where the x/z bases of each information qubit 
are interchanged. Let an input string be the same as the original, but with the bases of the information 
bits switched, i.e., \iT,i°), and let the output bits be \jT,jf) in that switched bases. If Alice and Bob 
used the conjugate basis for each of the information qubits (while using the same bases as before for 
the test bits), and Eve used the same attack, then the error distribution in the conjugate basis (over 
the information bits) is 

P(c j\i T ,jT,b,s) i ^E P d#> = N?® c /> S iven i°i,Vr,3T,b,*)- 

The following lemma shows that the probability of an error syndrome c, if the conjugate bases 
were used, equals the coefficients d c when writing the purification of Eve's states in the basis \ij c ). 

Lemma 3.2 

P{c° given vr,j T , b, s) = d 2 Cl . (5) 

Proof: See Appendix |E|. 

This is the only place where the properties of quantum mechanics are used, and this result is 
later on translated into an information versus disturbance result. The rest of the proof is based on 
probability theory and information theory. 



3.4 Bounds on Eve's Information 

In this subsection we improve upon a result based on |J. Eve's information on a particular bit of the 
final key (even if all other bits of the final key are given to her) is bounded. We take into consideration 
the error-correction data that is given to Eve, and we do it more efficiently than in Q, hence we obtain 
a much better threshold for the allowed error-rate. 

Let us first discuss one-bit final key, defined to be the parity of substring of the input i. The 
substring is defined using a mask v, meaning that the secret key is v ■ i (so v tells us the subset of bits 
whose parity is the final key). See Appendix [F] for more formal explanation of ECCs. Eve does not 
know i, but she learns the error correcting code C used by Alice and Bob as well as v and the parity 
bits £ sent by Alice to help Bob correct the sequence he received. All the possible inputs i that have 
the correct parities £ for the code C form a set denoted Q. 

When the purification of Eve's state is given by \4>i) the density matrix is p 1 = \<j)i) {<j)i\- In order 
to guess the key b = v ■ i, Eve must now distinguish between two ensembles of states: the ensemble of 
(equally likely) states p l with i € Cf and key b = v ■ i = 0, and the ensemble of (equally likely) states 
p % with i S Q and key b = v ■ % = 1. For b £ {0, 1} these ensembles are represented by the following 
density matrices: 

P~b = 2 ri -0+ 1 ) ^ P 

i-v=b 



and Eve's goal is to distinguish between them. A good measure for their distinguishability is the 
optimal mutual information (known as the accessible information) that one could get if one needs 
to guess the bit b by performing an optimal measurement to distinguish between the pi>. We call 
this Shannon Distinguishability (SD) to emphasize that it is a distinguishability measure, and SD = 
opt{I(Aj] £\it, 3T-, b, s)} where the optimization is over all possible measurements. 

In the same way that v acts as a mask and the secret bit is v ■ i, the error-correction data also acts 
as masks: the r "parity-check strings" V\, x>2, ■ ■ ■ v r , and the parities: {v\ ■ i, x>2 ■ i, ■ ■ ■ v r ■ i} are given to 
Eve. Let us assume (WLG) that these parity-check strings are linearly independent. Eve also knows 
the parity of any linear combination of the r parity strings, e.g., (vi © 1)2) ■ i- As result, a total of 2 r 
parity strings and parity bits are known to Eve. Let us take s to be an index running from to 2 r — 1, 
so we call the set of all these 2 r parity strings S a , and v s S S s means that v s is in this set. 

Let v be the minimum Hamming distance between v and any (error correction) parity string v s . 
[The minimal Hamming weight of v © v s when the minimum is over all strings v s £ S s ]. Then, for 
Eve's purified states \<j>i) = 1)* di\fji), we obtain that 

Lemma 3.3 The Shannon distinguishability between the parity and the parity 1 of the information 
bits over any PA string, v, is bounded above by the following inequality: 

SD V < a + - ]T df , (6) 

W>i 

where a is any positive constant, and SD V is the optimal mutual information that Eve can obtain 
regarding the parity bit defined by the string v (given the test and unused bits). 

Proof: See Appendix |G[ 

This gives an upper bound for Eve's information about the bit defined by this privacy amplification 
string v. In order to prove security in case of m bits in the final key, we start by proving security of 
each bit when we assume that Eve is given the ECC information and in addition, she is also given 
the values of all the other bits of the key. This is like using a code with r + m — 1 independent parity 
check strings, or like using less code words. Since r does not appear in the above bound, replacing r 
by r + m— 1 leaves the same result as before, SD V < a + ^ Z)ui>« df , as a bound on Eve's information 
on (any) one bit of the final key (but probably causes a decrease in v) . 

3.5 Eve's Information versus the Induced Disturbance 

We have already shown in Eq.([|) that P(cj given %j> , jx , b,s) = d 2 Ci . Thus, 

SD v <a + - V P(cj\i T ,jT,b,s) ■ (7) 

This equation bounds the information of Eve using the probability of the error syndromes in the other 
basis, and it completes the "information versus disturbance" result of our proof. Previous security 
proofs (for simpler attacks) , such as [||, [6|, [| are also based on various "information versus disturbance" 
arguments, since the non-classicality of QKD is manifested via such arguments. 

The result is expressed using classical terms: Eve's information is bounded using the probability 
of error strings with large Hamming weight. If only error strings with low weight have non-zero 
probability, Eve's information goes to zero. Such a result is a "low weight" property and it resembles 
a similar result with this name which was derived by Yao |[^] for the security analysis of quantum 
oblivious transfer. Henceforth we no longer concern ourselves with the delicate issues of quantum 
mechanics. 

From this point on we want to use standard information theory and probability notations. Shan- 
non Distinguishability is the optimal mutual information between Eve's bits {£) and Alice's j th bit 



(Aj) (when all other PA bits are given together with the ECC data and test data). Therefore, 
I(Aj;S\ir,j T ,b,s) < a + ~E| CJ |>| ^(c/Kt, 3t, b, s) . 

When summing over the m bits of the key, the total information Eve receives on the final m-bit 
key is bounded by 

/ 



I(A;£\i T ,jT,b,s) < m 



ol + - V P(cj\i T ,j T ,b,s) 
a '„ 



(8) 



as explained in Appendix ||. 



If a = s jY l \ Cl \>v p (c°i\'iT,jT,b,s) , then I(A;£\ir,jT,b,s) < 2my / ^ c/ |>| P(c?|i T , ir, M) , how- 
ever, to derive the security criterion we need not fix a yet. 



4 Completing the Security Proof 

In this section we analyze the attack on the test and information together U sym [(\0)) Eve(\iT)\ii)) Alice] = 
J2j T ,jj l-^ r ,tjj r ,jj)bT)bV)' For these states, we will bound a weighted average of Eve's information: 
J2i T ,c T ,b,s = pass,iT,CT,b, s) I(A; £\ir , cy ,b, s) . We show that the above bound is small and 
hence that security is achieved. Note that ct replaces jt from this point forward (when iy is given). 
Recall that ct = ir © jr, so once ct is known jj> is uniquely given. We define Cj and Ct to be the 
random variables getting the values c/ and ct respectively. 



4.1 Exponentially-Small Bound on Eve's information 

We generalize here previous proofs |l8|, [|, [| that information on parity bits is exponentially small, to 
be applicable for the joint attack. 

The maximum error rate that still passes the test is p allowed (or p a ). Also recall that T denotes 
the random variable for the test. Making use of Eq. | we get: 

Lemma 4.1 

a + - P[(— - > -) n (— ^- < PaiWd)|&, s] I 
a n 2 n J 

Proof: The Proof is in Appendix |. 

For an e (called earlier e sec ) such that v > 2n(p a u owec i + e) we get the following bound: 

/ \C°\ \C I 

J" P(T = pass, i T ,c T \b,s) I ( A; £ \ i T ,c T ,b,s) < m ( a + -P[{ 1 -^- > p a + e) n < Pa )\b,s 



lT,CT 



a n n 



Thus far, there is nothing that causes the bound on the right hand side to be a small number. The 
result above is true even if Eve is told in advance the bases of Alice and Bob (the string b) , or if she is 
told in advance which are the test bits and which are the used bits (the string s), two cases in which 
Eve easily obtains full information. 

Only Eve's lack of knowledge regarding the random b and s provides an exponentially small number 
at the right hand side. Since Eve must fix her attack before she knows the basis or order, we compute 
the average information for a fixed attack over all bases and orders. This averaging has the fortunate 
side effect of removing the conjugation on C/: 

Lemma 4.2 

P{T = Pass, ir, c T , b\ s)I{A; £\i T ,cr, b, s) < ( a + ^ P[(— >p a + e)n(^ < p a )\b, 

(9) 



Proof: The Proof is in Appendix 

By averaging over all values of the order s, and assigning a value to the free parameter a we get: 



Lemma 4.3 

y~] P(T = pass, %t, ct, b, s)I(A; £ \ it, or, b, s) < 2m 



n n 

(10) 



Proof: The Proof is in Appendix [Rj. 

We define h b = P[(^ >p a + e)n < p a )\b], and then: 



Y^i T ,c T ,b,s = P a ss, it, ct, b, s)I(A; £ \ ir,CT,b,s) < 2m^J ^LrX^^fe- The current bound can be 
dealt with the help of a random sampling theorem (Hoeffding's law of large numbers (l0)). For a long 
string, the test bits and the information bits should have similar number of errors if the test is picked 
at random. The probability that they have different numbers of errors should go to zero exponentially 
fast as shown in the following lemma. 

1 2 

Lemma 4.4 For any e > 0, hf, < 2e~2 ne . 
Proof: See Appendix [C| 



As a Corollary we get J2i T ,c T ,b.s P{T = pass, %t, ct, b, s)I(A; £ \ %t, ct, b, s) < 2my 2e 2 ne2 = Ae @ n , 
with A = 2my/2 and (3 = e 2 /A. 

Using I Eve = 1(A) £\iT,CT,b, s) and the above bound we obtain the security criterion (see Appendix 

i): 

Profr(Test Passes and I Ev e > A info e -^ l ° n ) < A luck e ~^ kn (11) 

with A inio = A iuck = VA and Anfo = Auck = /?/2. 

When choosing e = e re i in Lemma 4.4, that Lemma also provides the proof that, once the test 
passes, there are no more than (p a + e re \)n errors in the information string (except for exponentially 
small probability 2e~^ nt2 ), so that the ECC corrects these errors. Thus A re i = 2 and AeZ = e r e «/^' m 
the reliability criterion. 

The above bound of Eve's information is exponentially small, but it assumes that ECC codes with 
the desired properties exist. We present an asymptotic result of security and reliability using random 
linear codes (RLC) in Appendix ^ where we analyze RLC and we show that such a code provides an 
asymptotic reliability and security, for an allowed error-rate below 7.56%. 



5 Summary 

We proved the security of the Bennett-Brassard (BB84) protocol for quantum key distribution. Our 
proof is based on information-versus-disturbance, on the optimality of symmetric attacks, on laws of 
large numbers, and on various techniques that simplifies the analysis of the problem. 
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A Comparison to Other approaches to the security of QKD 

A proof of security of a non practical QKD (based on the use of quantum computers by the legitimate 
users) is provided in [14]; it is based on the assumptions of fault tolerant quantum computation, hence 
it can not provide yet a bound on Eve's information. Apart from this, it is a very strong proof. The 



work of Lo and Chau continues previous works on quantum privacy amplification 1 17 ] and |l£| . 



A security claim equivalent to ours (for the same QKD protocol of |l]]) was announced in Crypto96 |?J 
and its details (and some corrections) are given later on, in publicly announced drafts It is ob- 
tained using different tools, based on the security of quantum oblivious transfer (given bit commit- 
ment) H @. 

Our work provides a rather simple security proof based on the intuitive concept of information 
versus disturbance. 

Our result does not suffer from any problem related to the use of fault-tolerant computation, 
which in our case refers to the regular classical fault-tolerant computation used in classical infor- 
mation processing steps of any classical protocol: since we discuss probabilities, the only effect of 
a coherent error on the classical computation is to add some extremely small probability of error 
incoherent classical noise) to the final probability of failure (called Piuck)- On the other hand, doing 
the same for the quantum coherent noise in the protocol [14] is not obvious, and still requires a proof. 

There are two recent suggestions to attack the security problem using analogy to quantum error 



correction 15] and using compression and random sampling fL6|| , but we have yet to see written drafts 
of these ideas. 



B Security of BB84 

In the paper we prove that used-bits-BB84 is secure. Let us now present the original BB84 protocol 
and prove, by reduction, that its security follows immediately from the security of the used-bits-BB84 
protocol. 

The differences between the protocols are only in the first part: 



I. Creating the sifted key: 

1. Alice and Bob choose a large integer n > 1, and a number S num , such that 1 3> 5 num » 1/ v/(2n). 
The protocol uses n" = (4 + <5 num )n bits. 

2. Alice randomly selects two n"-bit strings, b and i, which are then used to create qubits: The 
string b determines the basis = z, and 1 = x of the qubits. The string i determines the value 
(0 or 1) of each of the n" qubits (in the appropriate bases). 

3. Bob randomly selects an n"-bit string, b' , which determines Bob's later choice of bases for 
measuring each of the n" qubits. 

4. Alice generates n" qubits according to her selection of b and i, and sends them to Bob via a 
quantum communication channel. 

5. After receiving the qubits, Bob measures in the basis determined by b' . 

6. Alice and Bob publish the bases they used; this step should be performed only after Bob received 
all the qubits. 

7. All qubits with different bases are discarded by Alice and Bob. Thus, Alice and Bob finally have 
n' ~ n"/2 bits for which they used the same bases. The n'-bit string would be identical for Alice 
and Bob if Eve and natural noise do not interfere. 

8. Alice selects the first 2n bits from the n'-bit string, and the rest of the n' bits are discarded. If 
n' < 2n the protocol is aborted. 

We shall refer to the resulting 2n-bit string as the sifted key. 



The second part of the protocol is identical to the second part of the used-bits-BB84 protocol. To 
prove that BB84 is secure let us modify BB84 by a few steps in a way that each step can only be 
helpful to Eve, and the final protocol is the used-bits-BB84. 

Recall that Alice and Bob choose their strings of basis b and b' in advance. Recall the the two 
strings are random. Thus, the first modification below has no influence at all on the security or the 
analysis of the BB84 protocol. Note that after the first modification Alice knows the un-used bits 
in advance. The second modification is done in a way that Eve can only gain, hence security of the 
resulting protocol provides the security of BB84. The third modification is only "cosmetic" , in order 
to derive precisely the used-bits-BB84 protocol. This modification changes nothing in terms of Eve's 
ability. 

• Let Bob have a quantum memory. Let Alice choose b' instead of Bob at step 3. When Bob 
receives the qubits at step 5, let him keep the qubits in a memory, and tell Alice he received 
them. In step 6, let Alice announce b' to Bob, and Bob measure in bases b' . 

Bob immediately knows which are the used and the un-used bits (as follows directly from an- 
nouncing b and b'). Steps 7 and 8 are now combined since Alice and Bob know all the un-used 
bits already, and they ignore them, to be left with 2n bits. 

• Let Alice generate and send to Bob only the used bits in step 4, and let her ask Eve to send 
the un-used bits (by telling her which these are, and also the preparation data for the relevant 
subsets, that is — b un _ use( i and i un ~used)- Knowing which are the used bits, and knowing their 
bases b un - use d and values i un -used can only help Eve in designing her attack U'. 

Since Bob never uses the values of the unused bits in the protocol (he only ignores them), he 
doesn't care if Eve doesn't provide him these bits or provide them to him without following 
Alice's preparation request. 

After Bob receives the used and unused bits, let him give Eve the unused qubits (without 
measuring them), and ask her to measure them in bases b' un _ used . Having these qubits can only 
help Eve in designing her optimal final measurement. 

Since Bob never use the values of the unused bits in the rest of the protocol, he doesn't care if 
Eve doesn't provide him these values correctly or at all. 

• Since Alice and Bob never made any use of the unused bits, Eve could have them as part of her 
ancilla to start with, and Alice could just create 2n bits, send them to Bob, and then tell him 
the bases. 

The protocol obtained after this reduction, is a protocol in which Eve has full control on her qubits 
and on the unused qubits. Alice and Bob have control on the preparation and measurement of 
the used bits only. This is the used-bits BB84, for which we prove security in the text. 

One important remark is that the exponentially small probability that n' < 2n in Step || (so that 
the protocol is aborted due to insufficient number of bits in the sifted key) now becomes a probability 
that the reduction fails. 

Another important remark is that the issue of high loss rate of qubits (e.g., due to losses in 
transmission or detection) can also be handled via the same reduction. Thus, our proof applies also 
to a more practical BB84 protocol where high losses are allowed. 

By the way, another practical aspect is imperfect sources (in which the created states are not 
described by a two-level system). This subject is the issue of recent subtlety regarding the security of 
practical schemes, and it is not discussed in this current work. 



C Symmetrization 



We prove the optimality of 0/1 symmetrization. It is also shown that the symmetrized attacks retain 
0/1 symmetrization even after the test bits measured. 

The fundamental reason symmetrization works, is because Alice sends Bob bits that have a great 
deal of symmetry before the key is defined. For instance, Alice sends with probability half, and 
likewise 1. So, Eve can gain nothing by assuming a particular string was sent or by optimizing her 
attack for a particular string. We discuss the symmetrization of the attack U, on 2n qubits. We use 
\Ei T ,ii,j T ,ii) f° r \E'ij), when both test and information bits are considered together. 

Eve's attack over all the bits is defined: 

u\o)\i) =J2\KM ( 12 ) 
j 

The following symmetric attack is defined: 

\E'T) = 7^E(- 1 ) (iej) - m l-)l^e m .e m ) (13) 

This symmetric attack is at least as good as the original attack: Eve could, as part of her attack, 
measure the bits of |m). She would then collapse her attack to \E' i&m j^ m ) uniformly distributed 
over to. If the attack \E[^) was optimal and if i,j are uniformly distributed, then |£^ emj - em ) is also 
optimal as it only represents a shift in Alice's (already random) choice of bits. From Eve's perspective 
the symmetrization is simple. She prepares the register: J2m \ m ) an d uses it as the control bits in 
a Controlled — (a x a z ) (i.e., the controlled-NOT described in Section |2|) onto the bits intended for 
Bob. Eve then applies her unsymmetrized attack \E' i; j). Following this she un-applies the bit flips by 
Controlled — (a z a x ). 

Now we show that information bits are still symmetric after test bits are measured: If we first 
symmetrize the test then the information, we will get the following: 

IKwxjr) = Ta E |m / )|TO T )(-l)^®^)-^(-l)^®^)-^|^ J e m/)iT e mTjI e mijTemT ) (14) 

mj,rnT 

Since i = iiix, j = jijr, and m = mjniT, ( |l~3| ) becomes: 

1 



\ E LiT,h,3 T ) =i E l^)kT>(-l) (folT)efor)H ^ mr) |^e m , lT e mTj/ e™© mT ) (15) 

mi,m,T 

These two are identical because: 



Hence the bit symmetrization is applied independently on test and information. This is used in 
the paper when we show that the basis |r/j) is an orthogonal basis. 

So now we write the \E* Z j7 ) which is the attack once the test is given: 

VP{JT\II,IT) 

where p(jx\il, *r) = Z)j 2 -(-^i I ,i T j / j T l^j,iT,j/,jT)' can ^ e ex P an ded in the following manner: 

p(jT\il,iT) = ^(K^JiJt^iatJiJt) 
h 

= ~2^" ^ / ^ t (Eix®mi,ir®mT,ji®ini ,.j't©T \Eii®mi,iT®mT,ji®mi,jT®mT) 
jj mj,mr 

2^ ^ / ^ / ^\Em' I ,i T ®m T ,ci®m l I ,jr® m T \Em' I ,i T ®m T ,c I ®m' I ,j T ®m T ) 
C I m'j,m,T 



So in fact, p(jr\ii is independent of ij so we may write: 



^'' Jl) VpUT\i T )^ l4 ' T ' JldT) (17) 

We can imagine that the information bit symmetrization is applied after the test symmetrization, and 
after the measurement of the test bits has been done. Of course one cannot apply the information bit 
symmetrization after the information bits have been measured, because the attack is fixed after all 
bits have been measured. 

\E ST - ) = 1 I E ST - ■ ■ ) 



* * £| mT )(-l)(^W|£. 



Now, we can symmetrize information bits separately 

\K,n) = 7=E I^X-l)^^-" 11 Wem^em.) • ( 18 ) 

V ^ mj 

The above equation is used in Appendix [d] in that the attack still has 0/1 symmetry after the test 
bits are announced. 

From Alice and Bob's prospective, Eve's attack has been averaged over all possible inputs. The 
probability of a given error is now independent of i: 

P = \i @ C)) S ym = \Ei,i®c\Ei ig, c ) 



2^ X] (^em,iem©c|-Ei©m',i©m'ec)( m 'l m/ )( — 1) C < ' mem ^ 



2 2 ' 

m,m' 

1 m 

ly2n y^A E i'4'®c\Ei'4'®c) 



2 2 

1 ^T l P (\j) = \i'®c)) 



2 2 



unsym 



In the second to last step we change variables i' = m ® i. 

The symmetrization makes the symmetrized error distribution equal to the averaged error distri- 
bution on the original attack. Hence the average error rate for Alice and Bob is the same for the two 
attacks. This is important as we assume that Eve losses nothing by applying a symmetric attack. 

We have calculated the fact that the error does not depend on the sent bits for the information+test 
string. Similarly, the probabilities ct and ci are independent of Alice's choice of bits. This can be 
shown easily by modifying the above calculations in very straightforward ways to consider any choice of 
substring. Intuitively it is clear that if the whole error string has a probability distribution independent 
of i, then any randomly selected subsets would also. 



D A Proof for Lemma |5. 1| 

First we show that {(t>i\4>i®k) does not depend on I for a symmetrized attack: 

From Appendix ^ we know that the symmetric attack after measurement can be written as: 



l^} = ^=Y,(- 1 ) {mym \m}\E^ 



with \Ef"j) being the attack symmetrized only over test bits, after the Bob's test bits have been 
announced. 

Now, we may compute {4>i\(/>i^k) f° r this (symmetric) attack: 

j 

= 2r ^^tem.iffiml-^Jffimffifc.-jmmffifc) 
Change variables m! = m © I and j' = j © I, so j © m = j' © in' 

(<t>l\4>l®k) = 7^ E ( E m' ,j'®m'\ E m'®k,j'®m'®k) 



Therefore, (</>/|<?^©fc) does not depend on I for the 0/1-symmetrized attacks. Thus, we can define 

(<f>l\(/>mk) = ®k- 

Now, by definition of rj, we have (r]i\r]j) = ^ J2i,m(~ % (~ 1) J m ( ( Pi\4>m) ■ Setting k = l®m 



1 



o2n 

Lk 



(viivj) = ^E(- 1 ) H (-iy (,a 



■l\<Pl®k) 



1 E i; l ' H " <1 '/- *j 



9" 

Z fe 



When i 7^ j, is zero, and thus 



failty) = 0. (19) 

QED 



E A Proof for Lemma 



First note that the norm of rfc satisfies 

<% = (Vi\m) = iEE(- 1 ) (/e '' H ^l^') 



o2r, 

Z i I' 

iEE(- 1 ) i ^i<w 

^2(~ l Y' k ( E i,i\ E i®k,j®k) (20) 



which was calculated using 



(<t>i\4>i®k) = Y.Y.( E hi\ E i®k ) j')(i@j\i@k@j') 

= 22( E l,j\ E l®k,j®k) 



After the test and the unused bits are announced we have: 

K)^El^-i)li) 



The basis transformation is 

l*>° = 4sE(-i)"l*> 

Once Eve's attack is given in one basis it can be calculated in the other basis (due to linearity) so 
that: 

i»r-E»>br 

3 

with 

i^) = ^E(- i r*(- 1 ) i "i^) 

hi 

For any given outcomes of the test and unused bits, the probability P(c°i \ iT,jT, b, s) of an error 
string c over the information bits in the opposite basis is 

P(c°i \i T ,jr,b,s) = ^Y,( E k,k($c\ E k,k(Bc) = 

z k 

k i,j 

= ^EE (^E(-i) WW) ) {-iY {m \E hJ \E % ,,,) 

i,j V ,j' \ k / 

The sum over k is non zero only when i®i'=j®j' = h 

= 2^ y^S~^) C h (Ei,.i\ E i®h,j(Bh) 
i,j,h 

= (Vc\Vc) = d 2 c 

where the last equalities are due to the calculation of the norm of r\ in Eq. (f20|). QED 

F The Error Correction Code 

After all the quantum bits are sent and Bob has made all his measurements, Alice announces an 
(n,k,d) ECC, C, and the corresponding syndrome of her information bit string, ij. In our protocol, 
C, is announced by sending the r = (n — k) rows Vj,j = 1, . . . , r of a maximum rank r x n generator 
matrix, 7i, of its dual code, S s = C 1 - = {v s G {0, l} n | v s ■ c = Vc G C} [and {v\, . . . , v r } is a basis 
of S s = C^]. The code-syndrome sent by Alice comprises £ Ahce = Ti ■ ij. Bob can now calculate 
^Bob = 7^ . j 7 Since jj = ij © c/, he can learn H ■ cj = £ Ahce © ^• Bob . Hence, Bob has the syndrome of 
his error string and can correct the errors if \cj\ < (d — l)/2. 

In the case of a one bit key, the final key is extracted as b = %i ■ v, where v G {0, l} n is the string 
defined for PA. Of course v is chosen such that v ^ S s . Before we proceed, we shall choose once and 
for all a subspace Sg of {0, 1}™ containing v and such that S s and are complementary; this means 
that 5g is an (n — r) dimensional subspace, such that <Sg © S s = {0, l} n , and 5g n 5* s = {0}. Of course 
&s 7^ ^s" = ^- Note that S£ is not unique (but is easy to construct after augmenting the set of vectors 
{v±, . . . , v r , v} to a basis of {0, l} n ). 

The preceding error correction procedure, however, provides additional information to Eve. In 
particular, since Eve knows Ti (i.e., the generator matrix of S s ) and the syndrome £ Alice = 7i-ii, Eve 
knows which coset = {ii G {0, l} n | TCij = £} of C Alice's information bit string, ij, belongs to. 
That is, she learns it belongs to Ct for ^ = £ Abce . 

Let i£ denote a code word in the coset Q (we dropped the index j, for convenience). Note that for 
any i% G Q we have 

Q = © c | c G C}, 



that is, all other code words in the coset Q can be obtained from one code word in C% by calculating 
its exclusive-or with all the code words in the original linear code C. We now choose arbitrarily an 
in each Q. Those arbitrary^] but fixed strings will often be referred to in the next appendix. 



G Eve's Information Versus the disturbance 



In this appendix we do not prove Lemma |3.3| immediately. We prove it later on, in the second 
subsection (the tight bound) . For simplicity of the presentation, we first prove another Lemma which 
leads to a loose bound (with an additional factor of 2 r ), for which the derivation is simpler. The bulk 
of the loose bound was derived in 0, and the tight bound is an improvement over that derivation. 
The loose bound lead to a much worse threshold for p a iiowed 

(less than 1%, instead of 7.56% derived 
from the tight bound), and this is the motivation for deriving the tight bound. One can skip directly 
to the second subsection if desired. 

Both the loose and the tight bound are derived using the fact that the Shannon distinguishability 
between the parity density matrix, po, and the parity 1 density matrix, p\, is bounded by the trace 
norm of po — Pi > an d using the fact that the one can easily calculate this trace-norm when the purified 
states are given by Eq. f|. 

G.l The Loose Bound (BBBGM) 

We have already defined a purification of Eve's state: \4>ij) = l) l/ l \vi) The density matrix for 

such a \4>ij) is 



P' 1 



„)^i = E(-i)" w ^^i)(wi (21) 



1,1' 



Recall that the final key is computed as v-ii. Eve does not know ij, but she knows from the announced 
syndrome that ij is in the coset C% for £ = ^ Ahce . Hence, in order to know the key, Eve must distinguish 
between the states ij = © c in that give parity zero and the states ij = i% © c in that give 
parity one. For b G {0, 1} the reduced density matrix is 

P b 2 n ~( r+1 ) ^ 

v(i£®c)=b 

= ^Ti) £ £(-i) ( ^ )( ^°44'lft>«H 

cec 1,1' 
u(i € ©c)=6 

where the sum is over c that satisfy both the condition of being a code word, and the condition of 
leading to the particular parity b for the PA. 

Lemma. Let C be any linear code in {0, 1}™ and a G {0, l} n be such that a ^ C 1 - then 

]T(-ir = (22) 

cec 

Proof. — Let {w\, . . . , w^} be a basis of C. Define t G {0, l} fe by t 

means that t is not the zero string. Let now h : {0, l} fc — > C be defined by h(s) = J2i<a<k s a w a', then 
h(s) ■ a = J2 s a w a ■ a = J2 s a t a = s ■ t and so 

J2i-i) c ' a = j2(-i) his>a = 5](-ir* = 

cec s s 



x In fact there is a unique i% £ (Ss) ± H Q but that is irrelevant for our proofs. 



Lemma The Shannon distinguishability between the parity and the parity 1 of the information 
bits over any PA string, v, is bounded above by the following inequality: 



SD„ < 2 r 



a 



(23) 



l'l>! 



where v is the minimum weight of v © v s for any v s £ S s , and a is any positive constant. 



Proof. — The Shannon distinguishability between the parity and the parity 1 is bounded by the 
trace norm of po — pi (||, [20] )• Let us calculate the required bound: 



Po ~ Pi 



2n-(r+l) 
1 

2n-(r+l) 
1 

2 n-(r+l) 



1,1' 



£ [J2(-^ c)m ' &V) )did v \r U )(f ni 



i.i' \cec 



/./' 



Vcec 



From equation (|22j ) we know the sum over C is zero except when I ® I' ® v £ C = S s , i.e. when 
V = I © v © i; s for some u s G 5 S . As a consequence: 

po - pi = 2 ^ d i d i®v®v s \m) {m®v® Vs I 

The trace norm of this matrix serves as a bound on the information Eve receives. 

SD V < -Tr\p -pi\ 

Using the above and making use of the triangle inequality for the Trace norm, the following is 
obtained: 



SD V < Tr\ (-^) H ' Va Ydidi^ v(BVa \fj m )(ri m(Bv(Bv 

1 

2 



(Bv(Bv s | + \ Vl(Bv(Bv a )(m\ 

v s eSs l 
1 

2 



Now we will concern ourselves with bounding each of the terms J2i didi§ Wg , where w s = v ffi v s . 



E didi® Wa 
i 



©«> s 



[ { |<i^i 

£ didi (BWa + £ di'® Wa dii 
\V®u> a \<^ 



If \V © w s \ < %1 then \w s \ = \V ew s ® l'\ < \V © w s \ + \l'\ < %i + and so |Z'| > Therefore, 



E didi® Ws + X di> eWs di> < E didi !£Ws + ^ di/ &Ws d v 



2 E 



■ 2 



\l\>^ 



< 1 E 



a 



2 



|i|>J^i 



= a 



E < C>. + - E 4 



a 



|i|>J^i 



where the last three steps are true for any real a, and real di,di® Ws . 

Due to the fact that the df form a probability distribution, any sum of them is less than or equal 
to unity. 



J2 d ldl(Bw s < a + \ E d\ 
i a | Z |>j^i 



< a + - V df 

where v = min Vs \v © v s \ (remember that w s = v © v s ). Summing over all v s £ S s now leaves: 



SD V < 2 r 



a + - V df 



1>f 



(24) 



QED 

The BBBGM result gives an upper bound for Eve's information about the bit defined by this 
privacy amplification string v. To prove security in case of m bits in the final key, we prove security 
of each bit as follows: for each bit in the key we assume that Eve is given the ECC information and 
in addition, she is also given all the other bits in the key. This is like using a code with more parity 
check strings 2 r+m_1 (or less code words), hence the previous result holds with 



SD„ < 2 r+m ~ 1 



a 



(25) 



Following the proof of the above Lemma, one can see that it is not a tight bound since we sum 
over 2 r terms while most of them are much smaller than the term (terms) with the minimal v. 

G.2 Eve's Information on one bit — Tight Bound 

We now show an improved technique, by defining a basis for the purification of the code words (instead 
of a basis for all the purification). 



We will now make a finer analysis of Eve's state after she learns the parity matrix and the syndrome 
£ = £ Ahce . "W e start again from the equality: 

l^> = EMr^) (26) 
l 

First, any I £ {0, l} n has a unique representation I = m © n with m £ and n G S'g. Next, for any 
ii £ Q we have ij = i% © c for some c 6 C and thus for any n £ S s we get ii ■ n = (i^ © c) • n = ^ • n 
[because n G 5 S = C 1 -]. Putting those two remarks together we get: 



l*/> = E E(" 1 ) lHmen) l^en) 

= E E (-l) n ' n |^en) 

mgSf neS s 

= E (-l)*'" m E (-l)^- n |^®n) 

= E (-l) ij "Vm> 

where t?^ is of course defined for each m £ S s by 

l^> = E (-l)* e ' B |»fcn0n> (27) 

Now, since (?7mi©ni l^n^©^) — except when nti © n\ — vn,2 ffi n.2, which implies uii — Tri2, the ?7m's 
are orthogonal. If d' rn is the length of rf m , we can then write 



with the r)^'s normalized and orthogonal and 

d' 2 - V d 2 

nG5 s 



and the density matrix for reduces to: 

= E (-i) i/(mem XOIO<C'l 

Recall that the final key is computed as b = v ■ ii . Of course, Eve does not know zj, but she knows 
from the announced syndrome £ = £ Alice that ij £ = {i^ © c | c G C} and wants to determine b. For 
b £ {0, 1} the reduced density matrix is 



Ph = - V n't® 



cec 
(i^(Bc)v=b 



I V V (-l)(k® c )( m ® m ')d' d' ,\ff )(fl' 

2n-(r+l) v / u m u 'm l \'lml\ l lm 



cec m,m'eS 



Lemma G.l 3.3 The Shannon distinguishability between the parity and the parity 1 of the infor- 
mation bits over any PA string, v, is bounded above by the following inequality: 

SD V < a + - Y df , (28) 

i'i>! 

where v is the minimum weight of v © v s for any v s G S s , and a is any positive constant. 

Proof: The Shannon distinguishability between the parity and the parity 1 is bounded by the trace 
norm of po — p\: 

Po-Pi = ^lyEt" 1 )^ E (-l) (i5ec){mem,) ^lC}(Cl 

ceC m.m'eSJ 



iUir E (E(- 1 ) (i5ec)(mem ' M l^^l^)(^ 



on— (r+1) 

rn,m'eSg \ceC / 

= E (-i)*"*"*** (j2(-iy< m ® m '®A d' m d> m ,w m )(fi> m ,\ 

Applying equality (f22"[) the sum indexed by c is zero except when m © m! © t> G C -1 = 5 S . But 
m © m' © v G 5g because m, m' and u G S^. This implies m © m' © w G S s fl = {0} and thus 
m' = m (B v. Of course, with m © m! © t> = 0, the sum indexed by c is 2 k = 2 n ~ r and the coefficient 
(— l)*«^ m ® m is 1. Therefore po — p\ takes the very simple form: 

PO ~ Pi = 2 E d m d m Q )V \flm) (Vrn®v I 

As usual, the trace norm of this matrix serves as a bound on the information Eve receives. It is 

SD V < ^Tr\p -pi\ 

First note that v is in S£ and S£ is closed under addition. Further the set S£ is the same as v © Sg. 
Then the set defined by m G S° is identical to the set m © v G S£ . We will use this identity to obtain 
the following inequality: 

SD V < Tr\ 2^ d m d m ^ v \fi 1m ) (J7 m V || 

= o"^^ d m d m( ^ v \flm) (Vm(Bv\ + ^in(Bv d m \Vm(Bv) (Vm\ I 

mSSf meSf 

= n^ r l d m d m( ^ v (\fj m ) {f)m(Bv\ + \Vm®v) (Vrn\)\ 

— 2 E/ ^m^m©u-^ r ll^?m) WmeiJ + l^7ro©i))(^mll 

- V d' <f 



Now we wish to give a bound in terms of the original cf s. Let us define 



To = {m G S*g | |m © n| > v/2 Vn G S s } 

where v was defined in the statement of the lemma. We claim that for any m G S£, either m G r# or 
m © f G IV Indeed, if it were not so, there would be n\ £ 5 S and n2 G 5s such that |m © ni| < u/2 
and \m © t> © ri2 1 < v/2. But then |m © «2 © t»| = |m © ni © m © «2 © u| < v/2 + v/2 which, since 
«i © n,2 G 5 S , contradicts the definition of v. 

We now use the claim to break up the sum bounding SD V and prove the lemma. 

SD V < ^2 d m d m(Bv 



< 



m£Sf 



/ 



/ \ 

E ^"m^"m®v + E ^m^m®v 



\mgrj) m£r e 

= 2 ^ d m d m( ^ v 
2 

mer 4 

< « E d -e, + \ E 4 



/ 



< a 



mer c 

E * 

|men|>| 



mgr c 



+ 



a 



^ ] "in i, 

|men|>| 



a E + - E d ? 



Due to the fact that the df form a probability distribution, any sum of them is less than or equal to 
unity. 



1 



SD V < a + - V d 



\>l 



(29) 



QED 



Note that the number of parity check strings r doesn't appear in the final expression, and this 
might seem surprising. However, it does appear there implicitly, since increasing r by one increases 
the number of parity check strings from 2 r — 1 to 2 r+1 — 1, hence potentially decreases v. 



H Security of the Entire Key 

We give a proof that bitwise security implies security of the entire string. This is first shown classically, 
and then making use of Shannon Distinguishability, the same bound holds for quantum bits. 



H.l Classical Information Theory 



Lemma H.l For independent random variables Ai, i E (1,2, .. . ,m) and random variable £ 

I {"Aii £\A\ j «^2j • • • > Ai— l) ^ -f (•^•j ) j Ai , • • • , -A— 1 , "^j+l , • • • , Am) 

Proof: First we define a few sets: A<i = {A, A> ■ ■ • , A-i}, A>i = {A+i, A+2> ■ ■ ■ > A m }, and 
A^i = {A, A, • • • , A-l> A+l> ■ ■ ■ , An}- Of course, A^i = A<i U A>«- In this notation the lemma 
says: /(A; £\A#) - I(A; £| A:i) > 



I(Ai;£\A^) - I{Ai;£\A<i) = H{Ai\A^ ~ H{Ai\£,A^i) - H{Ai\A<i) + H(Ai\£,A<i) 

(H(Ai\e,A<d -H(Ai\£,A^)) - (H(A\A<i) - H(Ai\A^)) 
(tf(A|£,-4<*) -#(A|£,-4<i,.4>*)) 
- (H(Ai\A <t ) - HiAilA^Ayi)) 

— I(.Ai , A>i \£ , A<^i) I(Ai, A>i\A<i^) 

Due to the independence of Ai, I (Ai; A>i\A<i) = 0. Since any information is non-negative, 
I(Ai\A>i\£ ,A<i) > 0. Hence I (Af, A>i\£ , A <{ ) - I(A i ;A >i \A <i ) > QED 

Theorem H.l For independent random variables Ai, i £ (1,2, .. . , to) and random variable £ 
/(A, A, ■ ■ .,A m ;£) < in maxi(I(Ai]£\Ai,A2, . . ■ , A-i, A+i, • • • , An)) 



Proof: Here we simply apply the chain rule for mutual information! 21 1 and we then apply the above 



lemma. We will use the same notions introduced in the previous proof. 

I{A 1 ,A 2 ,...,A m ;£) = ^/(A;£|.4<i) 

i 

< £/(A;£kM*) 

k 

< ^maxi(I(Ai;£\A^i)) 

k 

= m maxi(I(Ai; £\A^i)) 



QED 

Lemma H.2 For independent random variables Ai, i £ (1,2,..., m) and random variable £ 

/(A, A, • • • > A m ; £) < to maxi t a^i(F{Ai; £\A^i = a^i))- Where a^i is a set of outcomes for all A 

except i. 

Proof: We must simply prove I(A; £\A^i) < TOax a ^.I(A; £\A-ti = a^i) and then apply the previous 
theorem. 

/(A; S\A#) = p ( A & = a ^) J (A; £ \A# = a#) 

< Y p {Aj=i = a^i)max a[ '/(A; £| A^ = a'_^) 
= max a ^J{Ai\£\A^i = a^i) 

QED 



H.2 Quantum Connection 

We have used classical information theory to prove the above identities. In the quantum setting, Eve 
has a quantum system that may depend on Alice's bits, A%. The classical formulas are all valid once 
a particular measurement on the system (POVM) is fixed by Eve, so that: 

I(Ai,A 2 , • • • ,A m ;£ M ) < m max i ^.I{A\S M \A 1 Li = a#) (30) 

where £ M is the random variable obtained by Eve's output from her measurement M. In particular 
the above is true for any measurement, M, that Eve may consider optimal to learn the bits of Alice's 
key, Ai, all at once. 

Now we need the definition of Shannon Distinguishability: 

S£)W< = S u PM I(Af,£ M \A& = a#) (31) 

Note, a measurement that achieves (or nearly achieves) this upper bound may not be optimal for 
eavesdropping on the entire key, but that is of no consequence to the proof. Therefore, I{Ai\ £ M \A^i = 
o^i) < SD t ' a ^ i for all M and in particular 

I(Ai;SM\A& = a^)< SD*'** (32) 
Hence we have a bound for total mutual information for any measurement Eve might consider optimal: 

I{A 1 ,A 2 , • • .A;^) < m maxi^SD'*"* (33) 



I A Proof of Lemma |4» 1\ 

To prove this lemma we first note that P(cT,iT, 7" = pass|6, s) = P(pr, ir\b, s) when we sum only over 
such terms ct that pass the test. Then we apply equation @: 



I(A;£\i T ,jT,b,s) < m 



1 



o 



+ - J2 7 , (c?|i T ,j T ,6,s) 



a 



M>1 



Thus: 



P(T = pass, it, cx\b, s)I(A; £\ir, ct, b, s 
( 



< m 



rn 



m 



^2 p ( i T,CT\b 1 s)I(A;£\i T ,c T ,b,s 

^ —iPallowed 

\ 

a H J^P^t^tI^s) + ^ ^PiiT^rlb^) ^ P(c°j\c T ,iT,b,s) 

V ^-<Pallowed %T ^r<Pallowed %T l C d>§ 



) 



( 



1 



aP(T = pass \ b, s) + - ^ ^2 p ( c °i^ c T^T\b, 



<Pallo WS d l C -H>§ %T 



aP(T = pass \ b, s) H — ^ P(c°j,CT\b,s) 



\ 



a 



^T<Pallowed l c -rl>§ 



The dependence on the %t has been removed by averaging over all values. Since, the probability of 
passing the test, P(T = pass\ b, s) is less than unity we replace it by 1. Also, 

E 



<Pallov,ed I C JI> 



E, c Tl> ,P(c I ,c T \b,s) = P[(^ > l)n(^< Pallowed )\b,s] Thus, 



V P(T = pass,i T ,c T \b,s)I(A;£\iT,CT,b,s) < m ( a + -P[{^- > |) n (— — < p a iiowed)\b, s] 
. \ a n 2 n 

l T ,C T 



J A Proof of Lemma \4.2 

Here we show that: 



Y l P(( m >Pa + e)n(^< Pa )\b,s)=Y,p((^ >Pa + e)n(^< Pa )\b,s) 
£ -r \ n n J \ n n J 



(34) 



There are 2 2n possible basis strings that Alice is equally likely to choose. Therefore P(b) = ^ 
Combining the above with the average over b of lemma |4.1| we get the desired result: 



P{? = pas S ,i T ,CT,b\s)I(A;£\iT,CT,b,s) <a + -^Y, P i(— > Pa + e) n <p a )\b,s] 

it,ct,o b 

(35) 

We have assumed a particular basis string b was announced, and that a bit-selection string s was 
announced. For a fixed bit-selection s and bases b we define the unique strings bj and br which are two 
substrings of b where one contains only the bases of the information bits, and the other only the bases 
of the test bits, while the internal order (inside bi and br is as the internal order in b. For instance, if 
s = 111100001100, and b = 010100110101 then 6/ = 001101 and b T = 010101. 

Recall that Cf is the error string had the opposite basis been used for the information bits. Thus 
we can equivalently write: 

p((^>Pa + e)n(^<p a )\bj,b T ,s) = p((\^A >Pa + e)n(^<p a )\b I ,b T ,s 
V n n J \ n n 

Averaging over all bases of the information bits bj we get 

J2p((^>p a + e)n(^<p a )\b I ,b T , s ) = Y / p((—>Pa + £)n(^< Pa )\b I ,b T ,s), 

bj 6/ 

Now we can also sum over the bases of the test bits to get 
^pf i M >Pa + €)ni M< Pa) \ b - lM}S ) = J2p(( l -^>Pa + e)n( l -^< Pa )\b I ,b T ,s) , 

so that 

V P(T = pas S ,i T ,CT,b\s)I(A;£\iT,CT,b,s) < a + V P[(i^ > Pa + e ) n <p a )\b,s] 

lT,CT,0 b 

(36) 

Note that in the above equation the dependence on b in the right hand side has been removed by 
averaging. This is just the average over all choices of basis. 



K A Proof of Lemma \4-3 

To prove that: 



2_. P(X = P^ss, it, or, b, s)I(A; £\ir, or, b, s) < 2m 

(37) 

we start with: 



A 



b 



(11 IC I IC I 

a + -^Y, P i(— >Pa + e)nC—^ < Pa ) 
a 2 zn ^ n n 
b 



Each order string s must have an equal number of zeros and ones. Aside from that, each are 
equally likely. So Alice chooses them with P(s) = t^tt- The right hand side of the average over s of 

V n J 

the above equation is: 



1 1 \- 

m I a H — 



a 



2 2r 



7kT,n l -^>Pa + e)n(^< Pa )\b,s] 



b l\n> s 



n 



n 



We are now, for each fixed bases b, able to bound each term in the [] parenthesis by a law of 
large numbers. The probability that a test string will be chosen such that it passes the test, but the 
remaining information string would not pass the test, given basis b, is written as: 



P 



\Ci\ 



n. 



>p a + e)C\ 



}C T \ 



n 



<Pa)\b) - ^^P((^>Pa + e)n(^< Pa )\b,s>j 



n) s 



Making use of the above and choosing a = J2b > Pa + e ) H (^-p < Pa)\b] to minimize the 

bound we have the result. Hence, 



P(T = pass, it, ct, b, s)I(A;£\it,ct, b, s) < 2m 



\ 



n 



(38) 
QED 



L A Proof of Lemma \4-4 



In this Appendix let c denote the combination of ct and c/, instead of the combination of ct, cjj and 
c/, and let C be the random variable corresponding to c. Let 

I 1 I Ct I 

h b = P[{— > Pallowed + e) n (— < Pallowed)\b] 

n n 

This hi is the probability that the information has e more than the allowed error rate, when the test 
has less than the allowed error rate, averaged over all choices of test and information, for a particular 
basis b. 

h b = Y.Pii— > Pallowed + e)n( 1 —^ <p aUowed )n(\C\ = \c\)\Basis = b] 
M 

= Yl p [{(— > Pallowed + e) n < Paiiowed)} given |c|,6]P(|c| given b) 

|c| 

Note that in principle, P(c\b), and hence also P(\c\ given b) = P(\C\ = \c\ given b) can be calculated, 
but we shall soon see that there is no need to calculate P{\c\ given b). 

Now we must note that P {(^p > p + e) D < p)} given |c| , 6 , does not depend on the attack. 
And in fact, in the aforementioned equation, the basis b is superfluous. Once a basis is fixed, and 
the numbers of errors given (|c| and b), then we are safely in the hands of random samplings. Any 
sample choice, of bits for use as information bits will not change |c| or b. Of course c/, ct and c are 
not independent. By definition, \c\ = |c/| + \ct\- If |c/| > n{p a ii owea > + e) and \cr\ < np a n owe( [, then 
|c/| — I ct I > ne. So: 

|c| 

P[{(|c/| > n(p aUowed + e)) n (\c T \ < np a ii owed )} given |c|,6] < P[(\c T \ > — + —) given |c|,6] 



It is the probability that a sampled subset has a weight which is ne/2 more than the average. Intuitively, 
it may be obvious that the weight of the test string should be equal to half the weight of the full string. 
By Hoeffding's boundQ we make this rigorous (see Appendix |M| ) 



Hence 



P[(\ci\ > Y + y) g^en \c\,b] < 2e~\^ . (39) 



\Cj\ |Ct| 

h = P{ > Fallowed + e, < paiiowed\Basis = b) 

n n 

= Yl P (—^- > Paiiowed + e, — ^- < Fallowed, given \c\,b)P(\c\ given b) 

1„,2 



< 2e~2 ne ^P{\c\ § iven b ) 



So finally we summarize the result to be 

h b = P(i^i > Fallowed + e, < Paj/owedl-Baaw = 6) < 2e-2 ne2 . (40) 
n n 

This result for /i is useful both for the reliability proof and the security proof. QED 

M Hoeffding 

We need to bound the probability P(|c/| > ^ + ^r, given |c|). Recall that half of the bits are randomly 
selected to be test bits. This is random sampling without replacement. For the above probability we 
are given an error string c. Each bit in the error string is either zero or one depending on whether 
there is or is not an error respectively. 

Therefore, P(|cj| > ^ + ^ , given |c|) is the probability that a sampled average is greater than 
the entire sample average by more than e/2. This case was studied by Hoeffding [p]]. The following 



bound is given in [ 11 1 



_M|> e/2) <2e-^ (41) 
n In 

Note that A in [11| represents c in our notations, m is the sample average \c\/2n, and the sum of 
Zi is \ci\. 

Of course this bound is more restrictive than we need (due to the use of the absolute value) . We 
only need P{~^ — M > e/2), which is smaller than the above bound and therefore the above bound 



suffices. In fact, from Hoeffding's original paper [10] we can get the bound: 



N Satisfying the Security Criterion 

So far we have not shown that the security criterion is satisfied by bounding the following: 

P{T = pass, i T , or, b, s)I{A; £\i T , c T , b, s) < e 2( - a ~^ (43) 

i T ,c T ,b,s 



2 BTW - A factor of 2 can be improved. 



We now show that when the above bound is satisfied, as shown in the paper, then the security criterion 
is satisfied: 

Prob(Test Passes and I Eve > e ' 13 ' 11 ) < e a ~ Pn (44) 

Where I Eve = I{A;£\ir, ct, b, s). 

To show the above break the sum into the parts where Eve has large information and the part 
where she has small. Then standard bounding techniques are used: 

P(T = pass,iT,CT,b,s)I(A;£\iT,CT,b,s) = ^ P(T = pass, it, or, b, s)I(A; £ \ir, or, b 

S.t. I Eve <I' 

+ P(T = pass,iT,CT,b,s)I(A;£\ir,cr,b 

,C*j, ,b,s 

S.t. I Eve >I' 

> ^ P(T = pass,iT,CT,b,s)I(A;£\iT,CT,b 

i<j< ,b,s 
S.t. lEve>I' 

( \ 

P(T = pass,i T ,c T ,b,s 

i T ,c T ,b,s 

\s.t. I E ve>I' I 



> 



I' 



The above steps follow from non-negativity of probability and mutual information. We are really 
already done: 

( \ 

P(T = pass,iT,CT,b,s) I' < P(T = pass,ir,CT,b, s)I(A;£\iT,CT,b, s) (45) 



I iT> c T> b > s 
\s.t. I Eve >I' / 



So far I' is a free parameter. We can set it to any value we like, namely 



!' = \jY,i T ,c T> b,s P { r = pass,i T ,c T ,b,s)I(A;£\iT,CT,b,s): 

Prob(Test Passes and Ie V c > I') = ^ P(T = pass, it, ct, b, s) 

s.t. i Eve >r 



< J ^ P(T = pass,ir,CT,b,s)I(A;£\ir,CT,b,s) 

V iT,CT,b,s 



If we assume that J2i T ,c T ,b,s P{T = P^ ss , *T, or, b, s)I(A; £\ir, or, b, s) < e 2<yCX ^ then we have: 

Pro6(Test Passes and I Eve > e a ~ Pn ) < e a ~^ n (46) 
Thus, the bounds that we have shown satisfy the security criterion. 

O Existence of Codes for Both Reliability and Security 

Choosing a code which is good when n is large (for constant error rate) is not a trivial problem in ECC. 
A Random Linear Code (RLC) is one such code, however, it does not promise us that the distances 
are as required, but only gives the desired distances with probability as close to one as we want. With 
RLC, we find that the threshold below which a secure key can be obtained is p a iiowed < 7.56%. 

In order to correct t errors with certainty, a code must have a minimal Hamming distance between 
the code words d > 2t + 1 so that all original code words, even when distorted by t errors, can still be 



identified correctly. For any ct which passes the test, we are promised (due to Lemma 4.4) that the 
probability of having t = \cj\ > n{p a u owe d + e re i) errors is smaller than h = 2e~( 1//2 ) ne rci. 

Thus, we need to choose a RLC that promises a Hamming distance at least d such that p a iiowed + 
e re i < t/n = 4e^, and then the t errors are corrected except for a probability smaller than hi = 

2e -(l/2)n^ i _ 

For any n,r = n — k, and for 5 such that i?2(^) < r/n, an arbitrary random linear code (n,k,d) 
satisfies d/n > 5, except for a probability (see |J, Theorem 2.2) 

Prob(d/n < 5) < ^±2< H ^- r l n ^ = 9l (47) 



n 



where c(S) = j^s- 

If we choose 5 = 2(p a u owec [ + e re i) + l/n then we are promised that the errors are corrected, except 
for probability that the error rate is larger than expected or a bad code was chosen. 

Using such a code, e re i is now a function of 5 so that e re i = (5/2 — l/(2n) — p a iiowed and therefore, 

h x = 2e~( n /^ < - 5 ~K~ 2paUowed ' )2 (48) 

and almost all such codes correct all the errors. 

Therefore, the code is reliable except for a probability gi + hi. 

The above result can be improved || by taking RLC with distance d — 1 > n{p a u owe ^ + e re i) 
(without the factor of 2), since such a code can also correct t = n{p a u owe d + e re i) errors except for an 
exponentially small fraction fi of the possible errors. We get 

f l _ 2 e ~( n / 4 )( <5_ ^-Paiiowed) 2 (49) 

and it is exponentially small (in the limit of large n) for any 5 > Paiiowed- 

Recall that we choose e sec such that |u| > 2n(p a iiowed + £sec)- Let \v\ be the minimal distance 
between one PA string and any other parity check string (or linear combination) taken from ECC and 
PA. Clearly, the Hamming weight of the dual code of the ECC, once the PA is also added, provides a 
lower bound on \v\. Thus, it is sufficient to demand d 1 - > 2n(p a u owec i + e sec ) in order to prove security. 
Choosing a RLC for the ECC and PA, one cannot be completely sure that the distance indeed satisfies 
the constraint, but this shall be true with probability exponentially close to one. We use the dual code 
(n, r^, d^~), where r 1 - = n — r — m. Such codes satisfy d^/n > 5- 1 -, except for a fraction of 

Pvob(d ± /n < 5 1 ) < < ^X 2 n( - H ^-( n - r - m V^ = g 2 (50) 
\/n 



With 5 1 - = 2{p a ii owed + 

c sec I ■ 

Assuming that Eve gets full information when the code fails we get: 

53 P(T = pass,i T ,CT,b,s)I(A;£\iT,CT,b,s) < m U^e-^ 2 - + g 2 



(51) 



Since the first term is exponentially small we only need look at g 2 - We also need to worry about the 
reliability so we need gi and fi to be exponentially small as well. All of them are exponentially small 
if the following conditions are met: 



H 2 (5)-r/n < 
H 2 (5 ± ) + r/n + m/n-l < 



Or written another way: 

H 2 (Pcaiowed + Crel + V n ) < r / n 
H2(2pallowed + ^sec) + H2(pallowed + e re \ + 1/n) < 1 — R se cret 

Where R se cret = m/n. In the limit of large n and e's close to zero, p a iiowed < 7.56% satisfies the 
bound and hence this is our threshold. 

Asymptotically, any R se cret < 1 — H2(2p a ) — H2{p a ) is secure and reliable for the given ECC+PA. 
Note, as p a goes to zero, Rsecret goes to 1, which means all the information bits are secret. 

This threshold is based on the property of the code, and other codes might give worse thresholds. 
It is possible to replace the RLC by a code that can be decoded and encoded efficiently (e.g., Reed- 
Solomon concatenated code), and add random PA strings. The Hamming distance between the PA 
check-strings and the ECC check-strings is still bounded below in the same way as for the RLC (see ||). 

A better threshold can be obtained by using privacy-distillation instead of the standard ECC+PA 
approach. 

Note that any probability of failure in the classical transmission can be added in the same way that 
g2 is added. This is important to prove security in the case where a fault-tolerant classical transmission 
is not 100% reliable. It shows an important advantage over the proof of (l4|] which is based on fault 
tolerant quantum ECC. 



